Privacy Act of 1974

Download PDF
Federal RegisterFeb 6, 2013
78 Fed. Reg. 8538 (Feb. 6, 2013)

AGENCY:

Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).

ACTION:

Notice to establish a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new system of records titled, “Health Insurance Exchanges (HIX) Program,” to support the CMS Health Insurance Exchanges Program established under provisions of the Affordable Care Act (PPACA) (Pub. L. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152). The Health Insurance Exchanges (HIX) Program includes Federally-facilitated Exchanges operated by CMS, CMS support and services provided to all Exchanges and state agencies administering Medicaid, CHIP and the BHP, and CMS administration of advance payment of premium tax credits and cost-sharing reductions. The system of records will contain personally identifiable information (PII) about certain individuals who apply or on whose behalf an application is filed for eligibility determinations for enrollment in a qualified health plan (QHP) through an Exchange, and for insurance affordability programs. Exchange functions that will utilize PII include eligibility, enrollment, appeals, payment processes and consumer assistance. The system will also contain information about qualified employers seeking to obtain health insurance coverage for its qualified employees through a Small Business Health Options Program (SHOP). In addition, the system will include PII of marketplace assisters, Navigators and Agents/Brokers, their officers, employers and contractors; contact information for QHP Issuers seeking certification that may contain personally identifiable information of their officers, and employees or contractors; employees and contractors of the Exchange and CMS. The program and the system of records are more thoroughly described in the Supplementary Information section and System of Records Notice (SORN), below.

DATES:

Effective Dates: Effective 30 days after publication. Written comments should be submitted on or before the effective date. HHS/CMS/CCIIO may publish an amended system of records notice (SORN) in light of any comments received.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Privacy Policy, Privacy Policy and Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, CMS, Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.—3:00 p.m., Eastern Time zone.

For Information on Health Insurance Exchanges Contact: Karen Mandelbaum, JD, MHA, Office of Health Insurance Exchanges, Consumer Information and Insurance Systems Group, Center for Consumer Information and Insurance Oversight, 7210 Ambassador Road, Baltimore, MD 21244, Office Phone: (410) 786-1762, Facsimile: (301) 492-4353, E-Mail: karen.mandelbaum@cms.hhs.gov

SUPPLEMENTARY INFORMATION:

I. Health Insurance Exchanges Program

The Affordable Care Act (ACA) requires Exchanges to use a single, streamlined application for consumers to use in applying for eligibility determinations for enrollment in a QHP through the Exchange, for insurance affordability programs, and for certifications of exemption from the individual responsibility mandate and penalty. The insurance affordability programs that the Exchanges will determine eligibility for include: (a) The advance payment of the premium tax credits (APTC); (b) cost-sharing reductions (CSR); (c) Medicaid, (d) Children's Health Insurance Program (CHIP), and (e) Basic Health Plan (BHP), if a BHP is operating in the service area of the Exchange. The information requested on the application includes all of the information necessary for determining eligibility and enrolling individuals and qualified employees in a QHP through the Exchange or SHOP and for determining eligibility for insurance affordability programs. The applicant must be able to file this application online, by telephone, in person or by mail with the entity that is administering the eligibility and enrollment functions of the Exchange. This eligibility and enrollment process will be conducted in real-time through electronic data transfer.

The applicant/enrollee, the application filer on behalf of other applicants, or the authorized representative of the applicant/enrollee will be asked to provide the minimum amount of information necessary to support the eligibility and enrollment processes of the above listed programs. The categories of information requested on the application include personal, employment, financial, demographic, and pregnancy status and tobacco use. Section 1411 of the Affordable Care Act requires verification of the information received from applicants/enrollees. The information provided by an applicant/enrollee, or by an application filer on behalf of other applicants, on the application will be matched and verified against data provided by the Internal Revenue Service (IRS), Social Security Administration (SSA), Department of Homeland Security (DHS), Department of Veterans Affairs (VA),Department of Defense (DoD), Peace Corps, and Office of Personnel Management (OPM) that is maintained by the Federally-facilitated Exchange (FFE). State-based Exchanges (SBEs) will send requests for data matching through the Data Services Hub (Hub). Exchanges can also permit certain individuals and entities to assist applicants and enrollees. These include Navigators, Agents, Brokers and employees, agents and contractors of the Exchange (e.g. marketplace assisters).

Section 1943(b) of the Social Security Act (as amended by Section 2201 of the Affordable Care Act), as implemented through regulations adopted by the Secretary of HHS, requires that Medicaid and CHIP agencies utilize the same streamlined enrollment system and secure electronic interface established in Section 1413 to verify information, including federal tax information, financial and quarters of coverage information held by the Social Security Administration, Social Security Number (SSN) and citizenship, needed to make an eligibility determination and facilitate a streamlined eligibility and enrollment system among all insurance affordability programs. This enrollment system and secure electronic interface is the same one developed by HHS to comply with sections 1411(c) and 1411(d) of the Affordable Care Act for purposes of determining eligibility to enroll in a qualified health plan (QHP) through an Exchange State Medicaid, Chip and BHP agencies will send requests for data matching through the Data Services Hub (Hub).

With respect to determinations of eligibility for Medicaid and CHIP, the FFE can make either an assessment of eligibility or a determination of eligibility. Unless the FFE assesses an applicant/enrollee as ineligible for a Medicaid, CHIP or BHP program and the applicant/enrollee requests to withdraw his/her application for Medicaid, CHIP or BHP, the FFE must notify the State Medicaid or CHIP agency and transmit all information obtained or verified by the CMS in operation of the FFE via secure electronic interface for that other agency to make a full determination of eligibility under those programs and provide the applicant with coverage.

When applicants/enrollees receive a determination that they are qualified to enroll in a QHP and have chosen a QHP to enroll in, the Exchange will notify the QHP Issuers of individual enrollment selections and transmit the information necessary to implement, discontinue or modify enrollment and/or the level of payments processed and received through the APTC and CSR programs and information regarding the premium payments due from the enrollees.

Enrollees are required to update information that would impact their eligibility status, and an Exchange will perform mid-year redeterminations using the same system used for initial determinations of eligibility when it receives updated information regarding an enrollee either directly from the enrollee or through a periodic examination of data sources. The Secretary along with the other appropriate agencies will establish an appeals process for individuals and employers when eligibility is denied as a result of inconsistencies between the information obtained from applicants/enrollees and employers and information and data verified through the Exchange. CMS will also process enrollment and payment transactions to facilitate APTC payments for all Exchanges; SBEs will send this information to CMS through the Hub. The FFE will store eligibility and enrollment records, system user records, appeals records, consumer services records and SHOP employer records for all Exchanges. The Hub will be a pass-through for SBEs for providing information from applicants/enrollees to CMS and for the FFE to share data with SBEs, Medicaid, CHIP and BHP agencies.

Each Exchange, including the FFE, will establish a SHOP to assist qualified employers and facilitate the enrollment of qualified employees into QHPs. Eligibility determinations are not made on the individual level in a SHOP; rather, the information that an employer is required to provide about employees includes, the name and address of the employer, number of employees, Employer Identification Number (EIN), and list of qualified employees and their tax ID numbers.

The FFE will be responsible for performing oversight functions with respect to issuer compliance with market-wide and Exchange specific standards in connection with QHPs certified by the FFE. The FFE will require QHP Issuers to submit, as requested by the FFE, certified financial information including information related to ownership and control and information demonstrating that the issuer is fiscally sound, information that is necessary to administer and evaluate the program, including but not limited to, enrollee complaints against the QHP issuer and their disposition, enrollee appeals and their disposition, formal actions, reviews, findings or other similar actions by States, other regulatory bodies or any other certifying or accrediting organization, and any other information deemed necessary by the FFE for the administration of the FFE or certification of QHPs. In addition, the FFE will require qualified health plans to periodically report the activities that the health plan has implemented in order to improve health outcomes.

CMS will also administer the administration of advance payment of premium tax credits and cost-sharing reductions for all Exchanges. The PII that will be collected, disclosed and used as part of this administration includes QHP enrollment, premium payment information, and information about cost-sharing payments necessary to reconcile estimates of cost-sharing reductions with actual cost-sharing reductions.

II. The Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government collects, maintains, and uses PII in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

SYSTEM NUMBER:

09-70-0560

SYSTEM NAME:

Health Insurance Exchanges (HIX) Program, HHS/CMS/CCIIO

SECURITY CLASSIFICATION:

Unclassified

SYSTEM LOCATION:

CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850, Health Insurance Exchanges Program (HIX) locations, and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system will contain personally identifiable information (PII) about the following categories of individuals who participate in or are involved with the CMS Health Insurance Exchanges Program: (1) Any applicant/enrollee who applies, or on whose behalf an application is filed, for an eligibility determination for a qualified health plan (QHP) through an Exchange, insurance affordability program, or for a certification of exemption; (2) Navigators, Agents, Brokers, individuals or entities that are required to register with an Exchange prior to assisting qualified individuals to enroll in QHPs through the Exchange; (3) officers, employees and contractors of the Exchange; (4) employees and contractors of CMS (e.g. marketplace assisters, appeals staff); (5) contact information and business identifying information of QHPs seeking certification; (6) persons employed by or contracted with an Exchange organization who provide home or personal contact information; and (7) any qualified employer and the qualified employees whose enrollment in a QHP is facilitated through a Small Business Health Options Program (SHOP).

CATEGORIES OF RECORDS IN THE SYSTEM:

Information maintained in this system for individual applicant/enrollees includes, but may not be limited to, the applicant's first name, last name, middle initial, mailing address or permanent residential address (if different from the mailing address), date of birth, Social Security Number (if the applicant has one), taxpayer status, gender, ethnicity, residency, email address, and telephone number. The system will also maintain information that will verify the information provided by the individual/enrollee or by the application filer on behalf of other applicants that will enable a decision about an applicant's eligibility. The system will collect and maintain information that the applicant or the application filer on behalf of other applicants submits pertaining to (1) his or her citizenship or immigration status, because only individuals who are citizens or nationals of the U.S. or lawfully present are eligible to enroll; (2) enrollment in Federally funded minimum essential health coverage (e.g. Medicare, Medicaid, Federal Employees Health Benefit Program (FEHBP), Veterans Health Administration (Champ VA), Children's Health Insurance Program (CHIP), Department of Defense (TRICARE), Peace Corps); (3) incarceration status; (4) Indian status; (5) enrollment in employer-sponsored coverage; (6) requests for and accompanying documentation to justify receipt of individual responsibility exemptions, including membership in a certain type of recognized religious sect or health care sharing ministry; (7) employer information; (8) status as a veteran; (9) limited health status information (pregnancy status, blindness, disability status); and (10) household income, including tax return information from the IRS, income information from the Social Security Administration, and financial information from other third party sources. Information will also be maintained with respect to the applicant's enrollment in a QHP through the Exchange, the premium amounts and payment history.

With respect to qualified employers and the qualified employees utilizing SHOP, the information maintained in the system includes but may not be limited to the name and address of the employer, number of employees, Employer Identification Number (EIN), and list of qualified employees and their tax ID numbers.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The HIX program implements recent health care reform provisions of the Patient Protection and Affordable Care Act (PPACA) (Pub. L. 111-148) as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152) collectively the Affordable Care Act. Title 42 U.S.C. 18031, 18041, 18081—18083 and section 1414 of the Affordable Care Act.

PURPOSE(S) OF THE SYSTEM:

The purpose of this system is to collect, create, use and disclose PII on individuals who apply for eligibility determinations for enrollment in a qualified health plan through the Exchange, for insurance affordability programs, and for certifications of exemption from the individual responsibility requirement and; and as needed to perform the Exchange minimum functions in 45 CFR 155.200; and to maintain records used to support all Health Insurance Exchanges under the HIX Program established by CMS. The system will collect, create, use and disclose PII that will enable HHS to perform oversight and enforcement activities of QHP Issuers offering qualified health plans through the FFE. In addition, HHS, and any contractors assisting HHS, will use PII from the system to assist in accomplishing CMS functions relating to the purposes of this collection and who need to have access to the records in order to assist CMS.

The insurance affordability programs are: (a) The advance payment of the premium tax credits (APTC); (b) cost-sharing reductions (CSR); (c) Medicaid, (d) Children's Health Insurance Program (CHIP), and (e) Basic Health Plan (BHP), if a BHP is operating in the service area of the Exchange.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM

A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the HIX without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We are establishing the following routine use disclosures of information maintained in the system:

1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this collection and who need to have access to the records in order to assist CMS.

2. To disclose information to another Federal agency, agency of a State government, a non-profit entity operating an Exchange for a State, an agency established by State law, or its fiscal agent to (A) make eligibility determinations for enrollment in a QHP through an Exchange, insurance affordability programs, and certifications of exemption from the individual responsibility requirement, (B) to carry out the HIX Program, and (C) to perform functions of an Exchange described in 45 CFR 155.200, including notices to employers under section 1411(f) of the Affordable Care Act.

3. To disclose information about applicants in order to obtain information from other Federal agencies that help CMS, pursuant to agreements with CMS, to determine the eligibility of applicants to enroll in QHPs through an Exchange, in insurance affordability programs, or for a certification of exemption from the individual responsibility requirement.

4. To assist a CMS contractor (including, but not limited to Medicare Administrative Contractors, fiscal intermediaries, and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

5. To assist another Federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

6. To assist appropriate Federal agencies and CMS contractors and consultants that have a need to know the information for the purpose of assisting CMS' efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, provided that the information disclosed is relevant and necessary for that assistance.

7. To assist the U.S. Department of Homeland Security (DHS) cyber security personnel, if captured in an intrusion detection system used by HHS and DHS pursuant to the Einstein 2 program.

8. To provide information about applicants to application filers, who are filing on behalf of those applicants, when relevant and necessary to determine eligibility to enroll in QHPs or in insurance affordability programs.

9. To QHP issuers for purposes of administering advance payment of premium tax credits and cost-sharing reductions.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM—

STORAGE:

Electronic records will be stored on both tape cartridges (magnetic storage media) and in a relational database management environment (DASD data storage media). Any hard copies of program related records containing PII at CMS and contractor locations will be kept in secure hard-copy file folders locked in secure file cabinets during non-duty hours.

RETRIEVABILITY:

The records will be retrieved electronically by a variety of fields, including but not limited to first name, last name, middle initial, date of birth, or Social Security Number (SSN).

SAFEGUARDS:

Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

Access to records in the HIX Database system will be limited to authorized CMS personnel and contractors through password security, encryption, firewalls, and secured operating system. Any electronic or hard copies of records containing PII at CMS, exchanges and contractor locations will be kept in secure electronic files or in hard-copy file folders locked in secure file cabinets during non-duty hours.

RETENTION AND DISPOSAL:

Records are maintained with identifiers for all transactions for a period of 10 years after they are entered into the system. Records are housed in both active and archival files in accordance with CMS data and document management policies and standards.

SYSTEM MANAGER AND ADDRESS:

Director, Consumer Information and Insurance Systems Group, Center for Consumer Information and Insurance Oversight, Centers for Medicare & Medicaid Services, 7501 Wisconsin Ave, 9th Floor, Bethesda, MD 20814.

NOTIFICATION PROCEDURE:

An individual record subject who wishes to know if this system contains records about him or her should write to the system manager who will require the system name, and for verification purposes, the subject individual's name (woman's maiden name, if applicable), and SSN (furnishing the SSN is voluntary, but it may make searching for a record easier and prevent delay).

RECORD ACCESS PROCEDURE:

An individual seeking access to records about him or her in this system should use the same procedures outlined in Notification Procedures above. The requestor should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a) (2).)

CONTESTING RECORD PROCEDURES:

To contest a record, the subject individual should contact the system manager named above, and reasonably identify the record and specify the information being contested. The individual should state the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

Personally identifiable information in this database is obtained from the application submitted by or on behalf of individuals/applicants seeking eligibility determinations, from qualified employers and other employers who provide employer-sponsored coverage, from other Federal and state agencies needed to make eligibility determinations, from marketplace assisters facilitating the eligibility and enrollment processes, from QHPs, from State-based Exchanges that provide information to perform the statutory functions, from states participating in State Partnership Exchanges pursuant to the State Partnership Memorandum of Understanding, and from third party data sources to determine eligibility as described in this notice.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:

None

Dated: January 31, 2013.

Michelle Snyder,

Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.

[FR Doc. 2013-02666 Filed 2-5-13; 8:45 am]

BILLING CODE 4120-03-P